Botnets and NUWAR Worms
Posted on January 4, 2007
Filed Under Internet, Networking, Security, Windows |
On December 6, I wrote about the incredible increase in spam email over the past six months or so. In the month since then spam rate has continued to increase and in fact, there has never been a time when spam has been worse than it is today.
In that column I suggested that the advent and rise in use of “image spam” – spam that uses an image of text rather than text itself to get its message out – and “botnets” were the main contributors to the rise in spam. While I concentrated on “image spam”, it became clear over the Holidays that perhaps I hadn’t given botnets their fair due.
A botnet is a number of computers that have been infected with a worm or virus etc. that allows someone to control them remotely. They have been used recently to send spam from infected computers but can be used for any number or purposes.
What caught my attention most over the Holidays were the spam messages with variants of the subject line “Wishing You Happiness!” and a compressed file attachment. The one I picked at random to investigate had an attachment named postcard.exe.zip and there was nothing in the message body.
I opened the attachment (you don’t want to do this at home – or at work for that matter) to see if my virus scanner would complain. It did. Loudly. And as I looked back through my inbox I realized there were a lot of similar messages.
The attachment contained a single file, postcard.exe, that was infected with the Win32/Tibs!generic (AKA WORM_NUWAR.LG) worm. This worm is a member of the NUWAR family of worms and Trend Micro says in a red bordered box you can’t miss in their Virus Encyclopedia:
“This worm is part of a complex attack initiated by the NUWAR family. The attack employs multiple components that work together to achieve a common goal.”
And they’re not kidding. The NUWAR family are sophisticated worms that use seemingly harmless subject lines in email messages to entice users to open the attachment. Once infected with the worm, a complex chain of events takes place that can result in a multitude of different outcomes, most of them unpleasant.
The worm first makes a copy of itself to ward against being removed from the system. Then it sets up a downloader component and downloads a single file that contains a list of commands. Currently the command file instructs the worm to download updates to itself and even more components.
Because the command file can be updated at any time, the worm can be instructed to download and run any sort of malicious software. It thus becomes a highly customizable, ever changing threat.
The worm also downloads a component that searches the hard drive for email addresses. Once it has fully harvested email addresses, the worm can send itself, or whatever worm etc. the current commands instruct, to the list of email addresses. To make that task easier, a third component actually installs an email server with which to send email to the harvested addresses.
A final component installs a “rootkit” which is malicious software that can hide other malicious software. A rootkit can be highly effective and in this case helps create a worm that can be modified and upgraded at will and that can be well hidden from virus scanners or anything else that might interfere with it.
Because NUWAR worms can be controlled remotely, in numbers they can be considered botnets. It boggles the mind to consider tens or hundreds of thousands of stealth worms just waiting for their next instructions. And NUWAR worms are only one example.
Comments
Leave a Reply
You must be logged in to post a comment.